One of the things I was tasked with when I began this position was to find a solution for on premise password management. Why on prem when you can do a slick cloud based like Last Pass, you ask? Well… It’s a financial institution. Auditors and compliance officers do not agree with cloud based solutions. There are few exceptions with some software we use, but they are far and few between. What made this even more of a challenge was the company didn’t really want to shell out a significant expense for a paid version of something. So where did that land me? KeePass.
KeePass is free, fairly secure, and the configurations allow for enforceable rules through editing XML document. Login can be multifactor or single password. You can have Windows authentication, a token (via available plugins), certificate based login, master password, or a combination of these. Because we have users that switch desks at times, we went for the option of using a master password. The certificate based and Windows authentication are limited to the device itself. Though the database file can carry over with the user’s profile.
Here is the proposal I wrote for the company, highlighting some of the features of the product and includes links to additional information regarding the security of the product:
Password management and safety plays a key role in cyber security and safety. Employing the use of software that allows staff to securely store their information is of interest. We have been testing a product called Keepass, and believe that this may be a viable solution for the company. KeePass offers 256 bit AES encryption with enforced access by a master password to the vault, along with other potential multi-factor authentications including the use of domain user account and/or certificate based authentication. KeePass can be customized which is beneficial. Furthermore it is an on premise solution, putting the control in our hands, rather than relying on cloud based storage- as many password management sites are geared towards. Here is a small sampling of the features that have been enforced:
Master password min. Requirement is 16 characters
Master password must also be at least 20 bits in quality
Master password is set to expire every 90 days
Clipboard clears after 30 seconds
Limit to single instance of being open
Workstation (KeePass window) auto locks after 15 minutes
Auto-type to websites has been disabled
Invalid certificates are not accepted
Database auto saves upon any changes being made
Expired entries will prompt warning
The way these rules are enforced are through an XML enforced configuration file that affects each user upon the creation of their databases. Some options have been left open for the user to customize the basic look and feel of their windows and menus; however, any options relating to security or policy have been locked. Access to the enforced configuration file is strictly limited to the IT administrators, and KeePass will be accessed through a secure drive, with limited read/execute privileges to the users, while the enforced configurations remain hidden.
KeePass vulnerabilities are continually addressed, and the company makes that clear on the security page within their site. Vulnerabilities and actions taken may be viewed on their site here. The developers of KeePass remain active on SourceForge and have extensive documentation and help topics available. They continue to update the product, with the most recent being 01/09/19. More information can be found here.
KeePass underwent a thorough security audit by the European Commission’s Free and Open Source Software Auditing, and while there were minor problems within the code, no real security threats were found. I have attached a copy of the full PDF report for your viewing. keepass audit
KeePass has also received awards from German federal office for information security, along with awards from the French network and information security agency. The program also comes recommended from a number of online forums and websites such as PCMag, How to answer, and Krebs. You may view several of these articles and recommendations here.
We are investigating additional ways to secure the program. There are a few nuances such as the utilization of Windows Authentication. By adding this, it provides an additional layer of security through authenticating that it is the user logged on prior to opening the database; however, if the user (or even another user) attempts to open the file from another location, it will reject the composite key as invalid. Through probing, it was also discovered that modifying permissions to the user’s database file does not allow access. While KeePass can be cracked, it would take a rather large effort on the attacker’s part- including resolving the hash and employing a key logger. However, we have enforced the master key being entered on secure desktop in order to thwart keylogging. Information on breaching KeePass can be found here.
Overall, this program offers fairly robust security and should be considered an option for password management storage.
In order to create the enforced configurations, I went through a lot of trial and error adjusting settings within the program, and then copying them over to the enforced config file. This can be done in notepad++. The way I chose to do the deployment was to copy the program to the C drive for local users and modify permissions to the xml enforced config file. With that deployment, I also copied a how to file with screenshots to each user’s desktop as well. I am happy to say that it is a fairly intuitive program and most users adapted quickly. I would post that documentation here; but it has sensitive information in some of the screen captures.
Overall it has been a positive experience with this program, and it could be a potential solution for you as well. Hope you enjoyed this and were able to gain new knowledge. Have a great day! 🙂
Adventures in tech support 